Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Another from the series of UPS shipment virus emails. Some USPS versions.

The email claims The courier company was not able to deliver your parcel by your address because of an Error in shipping address.

The email often spoofs the payvesupport@ aexp.com and some_one@ fiserv.com. Nice touch to have a UPS notification come from American Express...

Other emails in the spoofed payvesupport@ aexp.com series:

Other emails in the spoofed fiserv.com series:

The payvesupport@ aexp.com spoofing became popular after the Payve Remit series virus emails. It looks like the botnet owners just stuck with that.


Subject: UPS - Your package is available for pickup ( Parcel 1V512579 )

Subject: UPS - Your package is available for pickup ( Parcel FNH4UY3K )

Subject:  USPS - Your package is available for pickup ( Parcel 487286520634 )

Subject: USPS - Missed package delivery

Subject: USPS - Missed package delivery ID:06

Subject: USPS - Your package is available for pickup ( Parcel EC329523734898US )

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention! For mode details and shipping label please see the attached file. Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) th..... blah blah blah

Headers sample:

This email series has been re-used a lot. There series that spoof usps.com, usps.gov, ups.com, aexp.com, fiserv.com, hsbc.co.uk, nothing, quickbooks.com, and others in From headers, Envelope headers, and HELO.

Received: from 173-15-112-113-illinois.hfc.comcastbusiness.net [173.15.112.113]
   X-Envelope-From: PAYVESUPPORT@ AEXP.COM
From: Tommy_Jensen@ fiserv.com

Received: from bband-dyn215.178-40-40.t-com.sk [178.40.40.215]
X-Envelope-From: fraud @aexp.com
From: "USPS Express Services" <service-notification @usps.gov>
Subject: USPS - Your package is available for pickup ( Parcel 607735208507 )

Received: from aexp.com ([69.199.101.37]
X-Envelope-From: fraud @aexp.com
From: "USPS Express Services" <service-notification @usps.gov>
Subject: USPS - Your package is available for pickup ( Parcel 734767192405 )

Received: from LMontsouris-156-26-8-103.w80-14.abo.wanadoo.fr [80.14.55.103]
X-Envelope-From: fraud @aexp.com
From: "USPS Express Services" <service-notification @usps.gov>
Subject: USPS - Your package is available for pickup ( Parcel 759837494629 )

Received: from aexp.com ([217.71.48.14]
X-Envelope-From: fraud @aexp.com
From: "USPS Express Services" <service-notification @usps.gov>
Subject: USPS - Your package is available for pickup ( Parcel 990965008608 )

Received: from 84-240-194-9.wimax-dynamic.almaty.aksoran.kz [84.240.194.9] X-Envelope-From: service @hsbc.co.uk From: "UPS Express Services" <service-notification @ups.com>

Received: from mo-p07-ob.rzone.de [81.169.146.190] X-Envelope-From: This email address is being protected from spambots. You need JavaScript enabled to view it. From: "USPS Express Services" <This email address is being protected from spambots. You need JavaScript enabled to view it.> Subject: USPS - Missed package delivery ID:06

Received: from [204.246.246.10] X-Envelope-From: ach.status @nacha.org From: "USPS Express Services" <service-notification @usps.com> Subject: USPS - Your package is available for pickup ( Parcel 910619847560 )

Received: from 63-235-18-178.dia.static.qwest.net [63.235.18.178] X-Envelope-From: invoice @quickbooks.com From: "UPS Quantum View" <auto-notify @ups.com> Subject: UPS - Your package is available for pickup ( Parcel 6I1O4NLF )

Some spoofed HELOs there too, hsbc.co.uk, and ups.com

Malware:

15 August 2014

Attached EC329523734898US.zip containing EC49320438US.scr

VirusTotal report 

Avast 			Win32:Malware-gen
Malwarebytes Trojan.Email.FakeDoc
Sophos Troj/Agent-AIKN
Symantec Trojan.Cryptodefense

Comodo report 

Deletes self

19 December 2013

Attachment Label_098536717338.zip containing Label_12192013.exe | VirusTotal report | Malwr.com report | File-Analyzer.net report

November 2013

Attachment Label_11052013.zip containing Label_11052013.exe | VirusTotal report | Malwr.com report

June 2013

Attachment USPS_Label_209660835189.zip containing USPS_Label_06062013.exe | VirusTotal report | Malwr report

March 2013

Attachment Label_8827712794.zip contains Label_8827712794.exe | VirusTotal report

If this was at least a little helpful, how about a +1, Like, or Tweet?


 The courier company was not able to deliver your parcel by your address. Cause: Error in shipping address.